{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23310", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.994Z", "datePublished": "2026-03-25T10:27:05.943Z", "dateUpdated": "2026-03-25T10:27:05.943Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:05.943Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded\n\nbond_option_mode_set() already rejects mode changes that would make a\nloaded XDP program incompatible via bond_xdp_check(). However,\nbond_option_xmit_hash_policy_set() has no such guard.\n\nFor 802.3ad and balance-xor modes, bond_xdp_check() returns false when\nxmit_hash_policy is vlan+srcmac, because the 802.1q payload is usually\nabsent due to hardware offload. This means a user can:\n\n1. Attach a native XDP program to a bond in 802.3ad/balance-xor mode\n with a compatible xmit_hash_policy (e.g. layer2+3).\n2. Change xmit_hash_policy to vlan+srcmac while XDP remains loaded.\n\nThis leaves bond->xdp_prog set but bond_xdp_check() now returning false\nfor the same device. When the bond is later destroyed, dev_xdp_uninstall()\ncalls bond_xdp_set(dev, NULL, NULL) to remove the program, which hits\nthe bond_xdp_check() guard and returns -EOPNOTSUPP, triggering:\n\nWARN_ON(dev_xdp_install(dev, mode, bpf_op, NULL, 0, NULL))\n\nFix this by rejecting xmit_hash_policy changes to vlan+srcmac when an\nXDP program is loaded on a bond in 802.3ad or balance-xor mode.\n\ncommit 39a0876d595b (\"net, bonding: Disallow vlan+srcmac with XDP\")\nintroduced bond_xdp_check() which returns false for 802.3ad/balance-xor\nmodes when xmit_hash_policy is vlan+srcmac. The check was wired into\nbond_xdp_set() to reject XDP attachment with an incompatible policy, but\nthe symmetric path -- preventing xmit_hash_policy from being changed to an\nincompatible value after XDP is already loaded -- was left unguarded in\nbond_option_xmit_hash_policy_set().\n\nNote:\ncommit 094ee6017ea0 (\"bonding: check xdp prog when set bond mode\")\nlater added a similar guard to bond_option_mode_set(), but\nbond_option_xmit_hash_policy_set() remained unprotected."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/bonding/bond_main.c", "drivers/net/bonding/bond_options.c", "include/net/bonding.h"], "versions": [{"version": "39a0876d595bd7c7512782dfcce0ee66f65bf221", "lessThan": "5c262bd0e39320a6d6c8277cb8349ce21c01b8c1", "status": "affected", "versionType": "git"}, {"version": "39a0876d595bd7c7512782dfcce0ee66f65bf221", "lessThan": "d36ad7e126c6a0c5f699583309ccc37e3a3263ea", "status": "affected", "versionType": "git"}, {"version": "39a0876d595bd7c7512782dfcce0ee66f65bf221", "lessThan": "0ace8027e41f6f094ef6c1aca42d2ed6cd7af54e", "status": "affected", "versionType": "git"}, {"version": "39a0876d595bd7c7512782dfcce0ee66f65bf221", "lessThan": "e85fa809e507b9d8eff4840888b8c727e4e8448c", "status": "affected", "versionType": "git"}, {"version": "39a0876d595bd7c7512782dfcce0ee66f65bf221", "lessThan": "479d589b40b836442bbdadc3fdb37f001bb67f26", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/bonding/bond_main.c", "drivers/net/bonding/bond_options.c", "include/net/bonding.h"], "versions": [{"version": "5.15", "status": "affected"}, {"version": "0", "lessThan": "5.15", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.15", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/5c262bd0e39320a6d6c8277cb8349ce21c01b8c1"}, {"url": "https://git.kernel.org/stable/c/d36ad7e126c6a0c5f699583309ccc37e3a3263ea"}, {"url": "https://git.kernel.org/stable/c/0ace8027e41f6f094ef6c1aca42d2ed6cd7af54e"}, {"url": "https://git.kernel.org/stable/c/e85fa809e507b9d8eff4840888b8c727e4e8448c"}, {"url": "https://git.kernel.org/stable/c/479d589b40b836442bbdadc3fdb37f001bb67f26"}], "title": "bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\nbpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded\n\nbond_option_mode_set() already rejects mode changes that would make a\nloaded XDP program incompatible via bond_xdp_check(). However,\nbond_option_xmit_hash_policy_set() has no such guard.\n\nFor 802.3ad and balance-xor modes, bond_xdp_check() returns false when\nxmit_hash_policy is vlan+srcmac, because the 802.1q payload is usually\nabsent due to hardware offload. This means a user can:\n\n1. Attach a native XDP program to a bond in 802.3ad/balance-xor mode\n with a compatible xmit_hash_policy (e.g. layer2+3).\n2. Change xmit_hash_policy to vlan+srcmac while XDP remains loaded.\n\nThis leaves bond->xdp_prog set but bond_xdp_check() now returning false\nfor the same device. When the bond is later destroyed, dev_xdp_uninstall()\ncalls bond_xdp_set(dev, NULL, NULL) to remove the program, which hits\nthe bond_xdp_check() guard and returns -EOPNOTSUPP, triggering:\n\nWARN_ON(dev_xdp_install(dev, mode, bpf_op, NULL, 0, NULL))\n\nFix this by rejecting xmit_hash_policy changes to vlan+srcmac when an\nXDP program is loaded on a bond in 802.3ad or balance-xor mode.\n\ncommit 39a0876d595b (\"net, bonding: Disallow vlan+srcmac with XDP\")\nintroduced bond_xdp_check() which returns false for 802.3ad/balance-xor\nmodes when xmit_hash_policy is vlan+srcmac. The check was wired into\nbond_xdp_set() to reject XDP attachment with an incompatible policy, but\nthe symmetric path -- preventing xmit_hash_policy from being changed to an\nincompatible value after XDP is already loaded -- was left unguarded in\nbond_option_xmit_hash_policy_set().\n\nNote:\ncommit 094ee6017ea0 (\"bonding: check xdp prog when set bond mode\")\nlater added a similar guard to bond_option_mode_set(), but\nbond_option_xmit_hash_policy_set() remained unprotected."}], "id": "CVE-2026-23310", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:27.160", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/0ace8027e41f6f094ef6c1aca42d2ed6cd7af54e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/479d589b40b836442bbdadc3fdb37f001bb67f26"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/5c262bd0e39320a6d6c8277cb8349ce21c01b8c1"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/d36ad7e126c6a0c5f699583309ccc37e3a3263ea"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/e85fa809e507b9d8eff4840888b8c727e4e8448c"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: bpf/bonding: reject vlan+srcmac xmit_hash_policy change when XDP is loaded", "id": "2451187", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451187"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-1288", "details": ["A flaw was found in the Linux kernel's bonding module. A local user could exploit this by changing the transmit hash policy (`xmit_hash_policy`) to `vlan+srcmac` on a bonded network interface while an eXpress Data Path (XDP) program is active. This incompatible configuration change can lead to a kernel warning, potentially causing system instability or a denial of service."], "name": "CVE-2026-23310", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23310\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23310\nhttps://lore.kernel.org/linux-cve-announce/2026032528-CVE-2026-23310-9b67@gregkh/T"], "threat_severity": "Low"}

{"analysis": {"en": {"generated_at": "2026-03-25T12:19:10.388034+00:00", "value": {"mitigation_remediation": ["Update the kernel to a version that contains the commit that guards xmit_hash_policy changes when XDP is loaded", "If an immediate kernel upgrade is not possible, prevent bond bonding interfaces from running XDP programs or block when switching to 802.3ad/balance\u2011xor modes", "Monitor system logs for WARN_ON messages related to dev_xdp_install when removing bonds"], "summary": {"action": "Patch", "impact": "Kernel instability due to XDP cleanup failure"}, "threat_synthesis": {"affected_systems": "All Linux kernel releases that ship the bonding module with XDP support are potentially affected. The issue was introduced by commit 39a0876d595b, so kernels that have not yet incorporated the subsequent patch remain vulnerable. Because distribution\u2011specific kernel packages typically follow the mainline series, any distribution using a kernel older than the version that includes the fix is at risk.", "description_and_impact": "The Linux kernel bonding driver fails to prevent a change of the transmit hash policy to vlan+srcmac while a native XDP program is still attached to a 802.3ad or balance\u2011xor bonded interface. When the bond is later destroyed, the XDP uninstall path calls bond_xdp_set() which uses bond_xdp_check() to verify compatibility. Because the policy is now vlan+srcmac, bond_xdp_check() rejects the operation, returning -EOPNOTSUPP and causing WARN_ON in the XDP install code. In practice this manifests as kernel warnings and can lead to a crash or a denial\u2011of\u2011service condition for the host if the failure propagates into higher\u2011level networking code.", "risk_and_exploitability": "Exploitation requires the ability to load an XDP program, which generally means root or a process with CAP_NET_RAW capability; the description implies that privileged local users can trigger the flaw, so this is a local privileged escalation. No public remote entry is known; the attacker must be able to change bond configuration and load XDP programs. No CVSS score or EPSS value is provided, and the vulnerability is not listed in CISA\u2019s KEV catalog. Nevertheless, the impact on kernel stability is significant, so the risk is considered high for affected hosts."}}}}, "created": "2026-03-25T21:15:19.569067+00:00", "updated": "2026-03-25T21:15:19.569093+00:00", "vendors": [], "weaknesses": ["CWE-703", "CWE-704"]}